Splunk Search

How do I search the count of how many times a keyword appears, not the event count?

PeterChu
Explorer

Hi All:

How do I write a search to find the count of how many times a keyword appears, not the event count?
As far as I know, |stats count just searches the event count.

ex:
myLog="Helen is a good girl. Helen is beautiful."

I want to know "Helen" occurs with a count of 2.

Thanks a lot.

Tags (3)
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Alternate solution avoiding mvexpand so it could be applied to many events at once:

| stats count as text | eval text = "Helen is a good girl. Helen is beautiful."
| eval tokens = lower(replace(text, "\W+", " "))
| makemv tokens
| eval matches = mvfilter(match(tokens, "^helen$"))
| eval count = mvcount(matches)

Replace the first line with your search returning a field text and it'll produce a count for each event.

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

Alternate solution avoiding mvexpand so it could be applied to many events at once:

| stats count as text | eval text = "Helen is a good girl. Helen is beautiful."
| eval tokens = lower(replace(text, "\W+", " "))
| makemv tokens
| eval matches = mvfilter(match(tokens, "^helen$"))
| eval count = mvcount(matches)

Replace the first line with your search returning a field text and it'll produce a count for each event.

martin_mueller
SplunkTrust
SplunkTrust

You should see a field count in the left bar. Alternatively, add | table _raw count to the end to make it show in the Statistics tab.

0 Karma

PeterChu
Explorer

Nice , if I add "| table _raw count " I can get count=2
Final my search command look like

sourcetype=test
 | eval tokens = lower(replace(_raw, "\W+", " "))
 | makemv tokens
 | eval matches = mvfilter(match(tokens, "^helen$"))
 | eval count = mvcount(matches)
 | table _raw count

I deeply appreciated your kindness .

martin_mueller
SplunkTrust
SplunkTrust

If that's the raw text returned then this should do:

sourcetype=test
| eval tokens = lower(replace(_raw, "\W+", " "))
| makemv tokens
| makemv tokens
| eval matches = mvfilter(match(tokens, "^helen$"))
| eval count = mvcount(matches)
0 Karma

PeterChu
Explorer

Hi Martin:
I use the search command you mentioned above, but the result only can see the log event, can't see anything on statistics.
Maybe I must count _raw to a field ?

Thanks.

0 Karma

PeterChu
Explorer

Hi Martin:
Thanks your help, but I still don't know how to apply my search language to replace text.
ex:my search is " sourcetype=test " and the result will be "Helen is a good girl. Helen is beautiful."
Can I use the search cmd to replace the log. Maybe it is likely a subsearch?

Thanks again.

0 Karma

MuS
Legend

Hi PeterChu,

I don't know if there is a better way to do this; but have a look at this run everywhere example to get an idea how it could be done:

| gentimes start=-1 |  eval myLog="Helen is a good girl. Helen is beautiful." 
| rex field=myLog "(?<word>\S+)" max_match=0 
| mvexpand word 
| search word="Helen"
| stats count  
| eval Count=if(count=="2", "Twice", count) 
| table word, Count

The first line is only to create the event, then I use rex to get the single words and expand it into single value field called word, search for all word="Helen", count them and display the result.

Hope that helps ...

cheers, MuS

HiroshiSatoh
Champion

What in this?

・・・・|eval list=split(_raw," Helen is")|eval count=mvcount(list)-1

However, also counts "XXXHelen is" and "YYYHelen is".

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...